gdpr-for-smbs-preparedness-privacy-protection

There’s a lot of uncertainty surrounding the new General Data Protection Regulation (GDPR) affecting the European Union; the impact it will have on businesses inside and outside of the EU and the specifics on ensuring compliance remain a little foggy, even as May 25th quickly approaches. But it’s certainly troubling that many business managers and C-level executives at small to medium-sized businesses don’t know what it is or if it applies to them. If you fit in this group, now’s the time to review the requirements laid out by the new regulation and examine the data protection measures you currently have in place, whether or not the GDPR applies to you.

The Fast Facts

The “most important change in data privacy in 20 years,” the General Data Protection Regulation was designed to make privacy laws across Europe consistent while better protecting citizens’ data and privacy rights.1 It becomes effective on May 25th, at which point businesses face fines if they are not compliant with what the regulation sets forth. You can read the full text of the regulation, but here are a few noteworthy fast facts about the GDPR and what it covers:

The GDPR has an increased jurisdiction that makes the regulation apply to any company processing the personal data of EU citizens, regardless of where the company itself is located

Fines and other penalties for those not complying apply to both data controllers and processors

Conditions for consent can no longer be lengthy and illegible or contain confusing legalese; they must be easily understood by those who need to review and agree or disagree to them

EU citizens have the right to be notified of data breaches in a timely manner and have the right to access their personal data or be forgotten by those who hold their identifiable data

Companies that conduct large-scale personal data monitoring or processing should have a data protection officer

What GDPR Means for SMBs

Regardless of its impact on your business and the people you serve, the GDPR comes at a good time for today’s SMBs because it serves as a reminder of the critical importance of protection and security in the age of big data. Collecting, handling, reviewing, and sharing data comes at a price for all parties involved, but increasingly the public demands more responsible control over their personally identifiable information and more transparency regarding the use of their data. Many small companies also fail to recognize the safety of their own internal data, overlooking storage, backup, and recovery issues or holding onto outdated practices that present great risks.

For SMBs, GDPR means getting your act together—appointing leaders to own the implementation of your data protection measures, developing a strategy with clear action items and recovery processes, reviewing your IT environment and updating your storage and protection needs, working with a service provider to ensure proper data security setup and ongoing maintenance. If you don’t have all the answers, take the time to nail them down so you can keep your team safe, your business in operation, and everyone’s data fully protected.

To keep things optimistic for those feeling overwhelmed, remember that the GDPR is helping all of us work toward a safer, more productive market for businesses and consumers. Improved conditions for consent will bring more qualified leads to your door, the public’s trust in companies will rise, and you won’t waste time and money marketing to people who don’t want your products or services.

Still left with questions about the GDPR and why it’s a groundbreaking regulation? See if your questions are answered in the interview below with two leading IT experts.

Hear from the Experts

Razor Technology, an end-to-end IT and cloud solutions provider, and Layer 8 Security, a comprehensive cybersecurity services company, work together to offer security solutions for modern business owners looking to manage their risk, meet compliance standards, and maintain operational efficiency. We spoke with experts from both organizations about some of the most important elements of GDPR, how SMBs can prepare to comply with the new regulation, and how today’s business leaders can weather new data privacy changes in a fast-paced world.

What are your thoughts on how the EU GDPR will empower citizens’ data privacy and reshape the way organizations approach data privacy?

Tom Reynolds: With the current state of Facebook and data mining, data protection and privacy are at the front of everyone’s mind. A codified law surrounding these issues steps it up for people, in a way. It’s a much bigger concern now that the public expects and deserves higher privacy standards.

Kevin Hyde: GDPR will have a significant effect on both the public and today’s businesses because this regulation is more all-encompassing and stringent than previous efforts to enforce data protection. There’s still so much guesswork involved for companies when it comes to finding the best ways to comply, but it’s great for citizens. I’d love to have my data protected the way EU citizens’ is protected. We’re thinking that this regulation is the start of a movement that will work its way around the globe.

What constitutes “personal data” today and how does the definition affect GDPR compliance?

TR: The idea of what personal data is has greatly expanded over the years to be a whole host of things considered personal and private, such as browsing history and purchase history. Due to the advent of data mining, the commodification of data, and the practice of big data analytics, companies can get deeper into the private lives of the public. The definition of personal data has to expand and grow with these new practices to reflect the state of things.

KH: The definition is highly projective. Some people consider a name and an address to be personally identifiable information (PII), and typically we say that PII is criteria that creates a personal profile of an individual. But PII is considered to be something that is an aggregation of data. Regardless, the term is vague and the GDPR is keeping it vague so that entities might be pushed to enable too much protection rather than too little.

What is the value of strengthening conditions for consent and discouraging the use of long, illegible terms and conditions and legalese?

KH: Protecting the individual’s privacy rights through strengthened conditions is clearly better for the consumer, but it opens up potential liability issues for companies if they don’t disclose enough. A lot of companies use third-party vendors as part of their service offering, but these parent companies could come into contact with EU data and need to do a better job of vetting and managing their vendors. The GDPR will make management more complicated, but it’s good that businesses will take on the increased level of responsibility that they should.

TR: I second everything Kevin said, but want to reiterate that ideally for consumers, the days of not being able to understand conditions for consent should be gone, and the GDPR will help facilitate this.

Can you explain the term “privacy by design” and how it applies to data protection solutions and SMBs?

KH: The GDPR requires that privacy be included in any design considerations and in the work of any service provider, whether a controller or processor. This concept is something those of us working in IT are already familiar with, but any SMB using a management program should also maintain these ways of thinking and have privacy by design practices in place. Privacy by design means privacy is not a bolted-on piece; it’s an intrinsic property of how a program operates.

What are some ways SMBs can prepare to comply with the GDPR?

KH: Companies need to have some mechanism through which data is accessible and they need to go beyond what was acceptable in the past to ensure GDPR compliance. If a company is unsure about what level of protection they need or how to get started, they should work with a data protection solutions provider to meet compliance needs. We approach GDPR compliance for our clients by first reducing the scope of what a company is responsible for: find the minimum requirements that apply to your business, learn what it takes to pull and provide data to individuals, establish a way of knowing if data gets out into the wild. GDPR requirements are really the basic building blocks of an information security policy, and we want to emphasize that businesses must take a layered approach to satisfying these needs.

Companies should also ensure a framework for accountability and risk management. GDPR needs to be handled out of the CFO, CEO, or general counsel office; upper-level management must ask itself what risks the company faces, what information security framework they’re willing to put in place, and who owns and enforces this process. Creating accountability for managing risk is important, which is why C-level involvement is crucial, even if management does not own the whole process. There are tough questions to answer, but every business that the GDPR applies to must answer them.

TR: The biggest thing to recognize is that GDPR compliance is not a technology-driven effort, and information security in general shouldn’t be tech-driven. Smaller businesses don’t often understand this, so the GDPR will probably drive this idea home. If an SMB has any doubts about their security measures, they must bring in someone that has experience and can help—there’s just too much at risk.

How should businesses approach updating their privacy policies?

TR: Take a look at your privacy policy to find its origin. It’s no longer okay to throw up a policy that someone found online and change the name to suit your company. You need to be careful about what you’re putting out there, so check to make sure your policy is appropriate for your business and target audience and that it accurately represents what you do.

How can Razor Technology and Layer 8 Security help SMBs prepare for GDPR compliance?

KH: Several of our clients come to us for GDPR concerns and we have some basic technical services that we can immediately put into effect to help them kick off a comprehensive plan. We work with them to uncover the processes they have in place and then help organically build their own information security program. Performing a data protection strength test can help us see where a business is with their existing efforts and our consulting work can reduce the scope of what the company would be responsible for when it comes to GDPR compliance. For companies big and small, when you need a privacy policy written, when you need data security training, when you need a data protection officer, Razor Tech and Layer 8 are here—but all of this also requires an SMB management team that fully understands the crucial investment that is data security.

Are You Ready for GDPR Compliance?

Do you need help deciding if your business is GDPR-ready? With the help of our partners at Layer 8 Security, Razor Technology offers GDPR preparedness guidance along with data security and protection services. Contact us today to learn what your responsibility is in this new regulation and how you can build a secure data program that meets your business’s needs.

GET UPDATES

STAY CONNECTED

Jim Stillittano

Partner

In 2003, Jim Stillittano and George Sucher had a vision for Razor Technology that they sketched out on a napkin at a local restaurant in West Conshohocken, across the street from where the headquarters of Razor Technology would soon be established. Being seasoned industry professionals and having 360-degree experience working with Fortune 100 technology companies, it became apparent to both Jim and George that there was a void in the system integration space.

So the duo built a service technology platform that supports enterprise-grade infrastructure solutions by applying an unbiased technology approach, heterogeneous best-of-breed solutions and disruptive subject matter expertise to effectively help our customers manage their IT infrastructures while reducing cost. Moreover, they gathered a world-class team of expert technologists and built a company culture that cultivates innovation.

Today, Razor Technology continues to execute on the original vision and strategy that has since evolved into a full service, end-to-end, IT cloud infrastructure services company with best-in-class capabilities in the following areas: architecture, integration, deployment, and managed services. Most recently, Razor Technology’s consultative advisory organization has helped many enterprise customers transform their IT environments to harness optimal efficiency while integrating best practices and tribal knowledge. What started as an idea and a solution to fill a necessary void grew into a robust organization with offices in Philadelphia and New York, delivering value and full-service solutions.

Under the partnership of Jim Stillittano and George Sucher, Razor Technology has grown into a successful customer-focused company by stepping out of the service provider role and becoming a true partner to our customers.

George Sucher

Partner

In 2003, Jim Stillittano and George Sucher had a vision for Razor Technology that they sketched out on a napkin at a local restaurant in West Conshohocken, across the street from where the headquarters of Razor Technology would soon be established. Being seasoned industry professionals and having 360-degree experience working with Fortune 100 technology companies, it became apparent to both Jim and George that there was a void in the system integration space.

So the duo built a service technology platform that supports enterprise-grade infrastructure solutions by applying an unbiased technology approach, heterogeneous best-of-breed solutions and disruptive subject matter expertise to effectively help our customers manage their IT infrastructures while reducing cost. Moreover, they gathered a world-class team of expert technologists and built a company culture that cultivates innovation.

Today, Razor Technology continues to execute on the original vision and strategy that has since evolved into a full service, end-to-end, IT cloud infrastructure services company with best-in-class capabilities in the following areas: architecture, integration, deployment, and managed services. Most recently, Razor Technology’s consultative advisory organization has helped many enterprise customers transform their IT environments to harness optimal efficiency while integrating best practices and tribal knowledge. What started as an idea and a solution to fill a necessary void grew into a robust organization with offices in Philadelphia and New York, delivering value and full-service solutions.

Under the partnership of Jim Stillittano and George Sucher, Razor Technology has grown into a successful customer-focused company by stepping out of the service provider role and becoming a true partner to our customers.

Ryan Rosenkaimer

Director of Operations

As Director of Operations, Ryan oversees Razor’s managed services and cloud engineering, with a focus on driving positive customer support. Helping shape the overall direction of technology, infrastructure design and solutions for Razor Technology, Ryan applies his deep technical expertise to not only elevate the technical team but help Razor clients achieve value-driven results. Ryan dedicates himself to maintaining a broad and contemporary understanding of information technologies. This includes new technologies, trends, upcoming products and software and paying close attention to best practices as they develop constantly. Ryan has a knack for always staying ahead of the curve and making sure to pass on these ongoing changes in technology to Razor’s customers.

Ryan has over 17 years of experience developing operation teams and supporting the most advanced IT systems. He has extensive experience across Unix/Linux/Windows platforms, Network Security, Cloud Solutions, Virtualization and securing server environments. Prior to joining Razor, Ryan was the VP of Alura, a managed service provider, where he was responsible for developing the overall technology vision for the company and its customer’s. He also oversaw the daily operations of the business and the network operations support teams. He also was a winner of the Philadelphia Business Journal’s 2015 Top IT Professionals in recognition of his background in cloud security solutions.

Tom Reynolds

Director of Technology Solutions

As Director of Technology Solutions, Tom is responsible for ensuring that every Razor customer receives the best possible guidance when making technology decisions. Tom continuously assesses new technologies and monitors industry trends and best practices to ensure that any product or service offered by Razor is best in breed.

Prior to joining Razor, Tom spent over 20 years in technology management within the financial services industry. This allows Tom to bring a highly qualified viewpoint on infrastructure architecture, information security, and IT process to Razor’s customers. Since joining Razor in 2015, Tom has used this experience to improve and expand a key component of Razor’s services portfolio – The Razor FitCheck.

Tom holds a Bachelor of Science degree in Computer Science from La Salle University, and has maintained a CISSP certification since 2005.

Christopher J. McGrath Sr.

CEO

After 20 years of technology and services company experience in various industries, Christopher joined Razor Technology in March 2013 as Director of Finance. Most recently, he was VP of Operations for Chadds Ford Auto Group. Christopher’s prior roles included Controller positions at both Insight Interactive and Unreal Marketing.

Christopher also served as Senior Accountant for Primavera Systems. In addition to Finance, he also manages facilities and operations for Razor. Christopher holds a BS in Accounting from Saint Joseph’s University and an MBA from Eastern University.

David Rosenthal

VP of Digital Business Technology Solutions

David J. Rosenthal is a passionate leader and expert at applying technology to solve business challenges. After a successful career in sales, IT, marketing, project and product management for firms such as Apple, AT&T / Ameritech, and CDI Corporation, David founded founded Atidan in 2005 to provide technology services and solutions to “Global 2000” clients. In late 2016, David sold Atidan to Razor Technology, a Philadelphia-based end-to-end technology solution provider.

After spending the first three years of Atidan broadly focused on Comcast Corporation, David has worked for global enterprises such as Interpublic Group, Viacom, NBC, Hearst, Time Warner, Reed Elsevier, The New York Times, WPP, Stryker, Gannett/USA Today, Havas, Kaiser Permanente and Microsoft.

David’s consultative, honest and advisory approach to the many small, medium and large customers has won him accolades from both clients and solution partners.

First Name *

Last Name *

Your Email *

Company *

What best represents you? *

Phone Number *

Job Title *

Yes! I would like to subscribe to the blog.

Number of Employees *

What services are you interested in ? *Data Center SolutionsCloud SolutionsHybrid SolutionsVendor EvaluationNeed technical expertise/help with specific project.Not sure - I would like to talk to someone to find out.Managed ServicesStaffing Engagements